A docker-contained koseven hello world to play with CVE-2019-8979, a SQL injection vulnerability affecting versions < 3.3.10. This hello world actually comes from the documentation, I just added the Docker parts and the PoC exploit.
This SQL injection issue was originally reported by a third party and fixed on 27 Feb 2019 in master but the devs forgot to publish a new release containing the fix. As a result the latest stable release at the time, koseven-3.3.9 published on 20 Nov 2018, remained vulnerable until koseven-3.3.10 was released on 12 Oct 2020, after elttam noticed and privately disclosed the oversight to the core developers on 10 Oct 2020.
Although some information can be obtained from MySQL such as current_user(), database() or table and column names from information_schema, it may not be possible to retrieve data from other tables due to strtoupper() being called on the order by direction input.
This is because database and table names are case sensitive when MySQL is running on an operating sytem where the data directory resides on a case sensitive filesystem. As a result this SQLi may only be fully exploitable if:
-
the filesystem is not case sensitive such as in Windows or macOS/HFS+
-
the
lower_case_table_namessysvar is> 0 -
the target database and table name and column names are already all uppercase (unlikely)
See Identifier Case Sensitivity for more info.
